Havex operators target mission-critical controllers around the world.

Share this story

Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.

That's what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.

"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. "Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet."

The compromised websites belong to companies involved in the development of software used in industrial applications. Two of them supply remote management software used in industrial systems, and the third develops high-precision industrial cameras and related software. The unidentified software companies are located in Germany, Switzerland, and Belgium.

Invisible to the naked eye

Enlarge/ Partial results of a dynamic analysis of a trojanized installer.

F-Secure

The post goes on to demonstrate how hard it is to spot anything amiss in the trojanized installers. A dynamic analysis of one of the tainted installers showed it was nearly identical to the clean installer except for a single file—mbcheck.dll—that installs the RAT Havex operators use as a backdoor. The user is left with a computer that runs the third-party software as normal but is also wide open to the spies. F-Secure researchers hacked the poorly secured command and control servers used in the campaign and found that all of the targeted companies were associated in some way with the development or use of industrial applications or machines. One of the unnamed targets was located in California, and most or all of the others were in Europe.

Infected computers send a detailed list of all the other machines connected to the same local area network. They pinpoint machines that have "OPCServer" in their names. That's another indication of the interest in ICS systems, since Microsoft's OLE for Process Control is a standard way for Windows machines to interact with automated process control hardware, the F-Secure post notes. Using the Microsoft framework, the Havex trojan gathers details about connected devices. F-Secure researchers inside the command and control servers were able to monitor infected computers belonging to companies in multiple industries.

Further Reading

Infecting ICS and supervisory control and data acquisition (SCADA) gear used in even more mission-critical settings came into sharp focus following the discovery of Stuxnet, the cyberweapon that burrowed in to an Iranian nuclear facility and destroyed uranium centrifuges. More recently there was the revelation of another ICS hack on the heating system of a New Jersey company. F-Secure's monitoring of the Havex operators indicates that attacks are only becoming more effective.

Promoted Comments

yeah, and so.. as much as i love reading about this stuff, how is it that scada and ics-related apps are not cert signed?? in this day and age?? crazy.

It's not a mystery. From my perspective, Industrial control is not a glamorous world. It certainly shares little of the vibrancy that might be used to characterize the mobile market, as an example. There is no incentive to innovate quickly. In fact some software/hardware integrators ( and I talk to a fair number) find the slow pace of technological uptake in the automation realm to be too fast as it is for their taste.

If fighting with a certificate chain and signing authorities is a feature you want to promote then training the integrating programmers on the value of those things will have to precede the creation of these secure programs.

I also find that people blow me off when I comment to them that a 'air gap' is essential when designing a hardened system.